Windows Server 2008, the host with the most

IT shops are likely to use Windows Server 2008 the same way they use Windows Server 2003 now, only now they can run lots of independent virtual Windows Servers that scale in features and footprint across a broad range of options

Big services for small clients

Windows Server 2008 covers another flavor of virtualization in the form of Terminal Services. A mainstay of Windows Server, the big news in this release is its HTTPS tunnel, or Terminal Services Gateway. Edge security often blocks inbound access to the TCP ports needed by Terminal Services. The Terminal Services Gateway allows remote clients normally blocked by firewalls to access Terminal Services, without the hassle of VPN, but with full security and auditing.

Terminal Services Gateway will undoubtedly get played by competitors as an exploitable backdoor, but it's a much smarter way to control user access (internal as well as external) to network services. Terminal Services Gateway requires the application of Remote Access Policies (RAP) that define and enforce the characteristics of clients permitted access to Terminal Services, and remote services in general. A client that doesn't meet RAP's health tests and policies, such as a notebook that's plugged into your network by an internal hacker, can't get in through Terminal Services or any other means. Period.

Seriously? Absolutely. BitLocker local disk encryption can be defined as an enforced remote access policy. Users like encryption for privacy, but IT will love BitLocker. It uses a client system's Trusted Platform Module (TPM) to create a file access authentication path that users cannot bypass, even if they boot from a nonencrypted drive or overwrite the boot blocks on the local drive. If policies allow users to work with local copies of sensitive files, the TPM can ensure that files are unreadable away from the network, and they can't be copied to removable media.

More to the point, if you have a lapse in security that allows a user inside the firewall to suck in a database of customer information, when they get their client home they won't be able to read the files they've stolen. All access to Windows Server 2008 is revocable at the user, client computer, or group level. To absolutely, positively terminate employees' or contractors' network access, and access to locally stored files, the administrator need only create and distribute a new certificate. This is one of many simple ways to change the locks in Windows Server 2008.

This, too, will raise the hackles of those who don't like the idea of systems that users can't control, but they should know that BitLocker and RAP do not preclude the use of other operating systems, and they can be undone by someone with administrative privileges (another reason to extend these sparingly). Used properly, RAP, TPM, and BitLocker can obviate the necessity for client-side security agents and hardware such as USB crypto keys.

Windows Server 2008 enhances network security in other ways as well. Tunneling is implemented in several Windows network services, and can be extended to any application through socket sharing. Several applications, even applications that use different protocols, can listen on a single TCP socket. Traffic analysis routes packets to the appropriate application, and port sharing doesn't interfere with load balancing.

The potential for OS-level tunneling becomes evident when many guest OS instances are run on a single physical host. The Windows Server 2008 host acts as a gateway and load balancer. Tunneling may allow guests to share one TCP port such that one heavily monitored HTTPS socket might be the only direct access a virtual host has to the outside world. I haven't tested this to see if it's a feature in the current release, but I see this as tunneling's greatest potential use.

With or without tunneling, Terminal Services has grown from a convenience to a necessity. Remote Desktop Protocol version 6 and 6.1 are bundled with Vista, and count among the many new Windows Server 2008 features that roll out a red carpet for Vista clients. In the recent past, I have taken the position that IT shouldn't be forced into Vista. After working Vista with Windows Server 2008, especially Terminal Services, I have reversed my position. As you migrate from Windows Server 2003 to 2008, upgrade your clients as well.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tom Yager

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?